JS: Provide better model for Array.splice

RasmusWL · RasmusWL · commit ec18786488db · 2024-06-12T16:29:21.000+02:00
diff --git a/javascript/ql/lib/semmle/javascript/Arrays.qll b/javascript/ql/lib/semmle/javascript/Arrays.qll
@@ -77,8 +77,8 @@ module ArrayTaintTracking {
     succ = call.getReceiver().getALocalSource() and
     call.getCalleeName() = ["push", "unshift"]
     or
-    // `array.splice(i, del, e)`: if `e` is tainted, then so is `array`.
-    pred = call.getArgument(2) and
+    // `array.splice(i, del, ...items)`: if any item is tainted, then so is `array`.
+    pred = call.getArgument(any(int i | i >= 2)) and
     succ.(DataFlow::SourceNode).getAMethodCall("splice") = call
     or
     // `e = array.pop()`, `e = array.shift()`, or similar: if `array` is tainted, then so is `e`.
@@ -274,14 +274,14 @@ private module ArrayDataFlow {
 
   /**
    * A step modeling that `splice` can insert elements into an array.
-   * For example in `array.splice(i, del, e)`: if `e` is tainted, then so is `array
+   * For example in `array.splice(i, del, ...items)`: if any item is tainted, then so is `array`
    */
   private class ArraySpliceStep extends PreCallGraphStep {
     override predicate storeStep(DataFlow::Node element, DataFlow::SourceNode obj, string prop) {
       exists(DataFlow::MethodCallNode call |
         call.getMethodName() = "splice" and
         prop = arrayElement() and
-        element = call.getArgument(2) and
+        element = call.getArgument(any(int i | i >= 2)) and
         call = obj.getAMethodCall()
       )
     }
diff --git a/javascript/ql/test/library-tests/Arrays/DataFlow.expected b/javascript/ql/test/library-tests/Arrays/DataFlow.expected
@@ -19,4 +19,5 @@
 | arrays.js:29:21:29:28 | "source" | arrays.js:38:8:38:17 | arr5.pop() |
 | arrays.js:29:21:29:28 | "source" | arrays.js:40:8:40:26 | arr5.slice(2).pop() |
 | arrays.js:29:21:29:28 | "source" | arrays.js:46:8:46:17 | arr6.pop() |
+| arrays.js:33:37:33:44 | "source" | arrays.js:35:8:35:25 | arr4_variant.pop() |
 | arrays.js:49:4:49:11 | "source" | arrays.js:50:10:50:18 | ary.pop() |
diff --git a/javascript/ql/test/library-tests/Arrays/TaintFlow.expected b/javascript/ql/test/library-tests/Arrays/TaintFlow.expected
@@ -20,6 +20,7 @@
 | arrays.js:29:21:29:28 | "source" | arrays.js:38:8:38:17 | arr5.pop() |
 | arrays.js:29:21:29:28 | "source" | arrays.js:40:8:40:26 | arr5.slice(2).pop() |
 | arrays.js:29:21:29:28 | "source" | arrays.js:46:8:46:17 | arr6.pop() |
+| arrays.js:33:37:33:44 | "source" | arrays.js:35:8:35:25 | arr4_variant.pop() |
 | arrays.js:49:4:49:11 | "source" | arrays.js:50:10:50:18 | ary.pop() |
 | arrays.js:49:4:49:11 | "source" | arrays.js:51:10:51:12 | ary |
 | arrays.js:91:9:91:16 | "source" | arrays.js:91:8:91:34 | ["sourc ... ) => x) |
